Microsoft pushes enterprises to take stronger multifactor authentication measures
16 November 2020 | 0
A Microsoft executive is urging enterprises to abandon the most popular multi-factor authentication (MFA) method – one-time passcodes sent to mobile devices via text or voice – for different approaches, including app authenticators, that he claims are more secure.
“It’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms,” asserted Alex Weinert, director of identity security, in a post to a Microsoft blog. “These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today.”
Weinert argued that other MFA methods are more secure, calling out Microsoft Authenticator, his company’s app-based authenticator, and Windows Hello, the umbrella label for Microsoft’s biometrics technology, including facial recognition and fingerprint verification. It’s no coincidence that Weinert touted technologies Microsoft has aggressively pushed in its campaign to convince enterprises to go passwordless.
More than a year ago, Weinert spelled out how, in his view, passwords alone are no defense against credential theft, but that by enabling MFA, “your account is more than 99.9% less likely to be compromised”. That advice hasn’t changed, but Microsoft’s stance on MFA has now narrowed. “MFA is essential – we are discussing which MFA method to use, not whether to use MFA,” he wrote last week.
Weinert ticked off a list of security flaws in SMS- and voice-based MFA, the technique that typically sends a six-digit code to a predetermined, verified phone number. Those defects, Weinert said, ranged from a lack of encryption – texts are sent in the clear – to vulnerability to social engineering.
App-based authentication, Weinert contended, is a much more secure means to the WFA ends. He then touted Microsoft Authenticator, which comes in versions for Google’s Android and Apple’s iOS.
Authenticator boasts encrypted communication, supports facial and fingerprint recognition – letting users authenticate using those technologies when, say, their company-supplied laptops do not. Authenticator also supports one-time passcodes, duplicating the mechanism of SMS-based WFA, albeit in encrypted form from start to finish.
To some extent, Microsoft has put its policies where its mouth is. Since last year, new Office 365 and Microsoft 365 tenants have been accompanied by a set of default option settings called ‘security defaults‘, which require every user to authenticate through MFA. The Microsoft Authenticator app is the default MFA method.
IDG News Service
Is this an area of interest? Tailored training for IT Professionals
The Irish Computer Society provides members with the necessary qualifications, skills and training needed to succeed and excel within the profession.
Upcoming courses which may be of interest include:
- Certificate in Business Analysis – offers academic accreditation for business analysts through the use of proven business analysis techniques. Up to 100% funding available
- Managing a Data Breach – one-day advanced course covers the main factors which may lead to a data breach and what process should be followed in the event of occurrence of such.
- Free Web Accessibility Training – for anyone who creates web content and electronic documents, especially those in the public sector or those writing content for websites.
- Blockchain & new media webinar – Expert presentations and Q&A will discuss decentralised approaches to new media and broadcasting.